package hudson.security.csrf;

import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.ModelObject;
import hudson.model.PersistentDescriptor;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import jenkins.model.Jenkins;
import jenkins.security.HexStringConfidentialKey;
import jenkins.util.SystemProperties;
import net.sf.json.JSONObject;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:WEB-INF/lib/jenkins-core-2.331-rc31990.87cc7f9a_78c1.jar:hudson/security/csrf/DefaultCrumbIssuer.class */
public class DefaultCrumbIssuer extends CrumbIssuer {
    private transient MessageDigest md;
    private boolean excludeClientIPFromCrumb;
    private static final String X_FORWARDED_FOR = "X-Forwarded-For";

    @Restricted({NoExternalUse.class})
    @SuppressFBWarnings(value = {"MS_SHOULD_BE_FINAL"}, justification = "for script console")
    public static boolean EXCLUDE_SESSION_ID = SystemProperties.getBoolean(DefaultCrumbIssuer.class.getName() + ".EXCLUDE_SESSION_ID");
    private static final Logger LOGGER = Logger.getLogger(DefaultCrumbIssuer.class.getName());

    @Extension
    @Symbol({"standard"})
    /* loaded from: input_file:WEB-INF/lib/jenkins-core-2.331-rc31990.87cc7f9a_78c1.jar:hudson/security/csrf/DefaultCrumbIssuer$DescriptorImpl.class */
    public static final class DescriptorImpl extends CrumbIssuerDescriptor<DefaultCrumbIssuer> implements ModelObject, PersistentDescriptor {
        private static final HexStringConfidentialKey CRUMB_SALT = new HexStringConfidentialKey(Jenkins.class, "crumbSalt", 16);

        public DescriptorImpl() {
            super(CRUMB_SALT.get(), SystemProperties.getString("hudson.security.csrf.requestfield", CrumbIssuer.DEFAULT_CRUMB_NAME));
        }

        @Override // hudson.model.Descriptor
        public String getDisplayName() {
            return Messages.DefaultCrumbIssuer_DisplayName();
        }

        @Override // hudson.model.Descriptor
        /* renamed from: newInstance */
        public CrumbIssuer newInstance2(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
            if (staplerRequest == null) {
                throw new Descriptor.FormException("DefaultCrumbIssuer new instance method is called for null Stapler request. Such call is prohibited.", "req");
            }
            return (DefaultCrumbIssuer) staplerRequest.bindJSON(DefaultCrumbIssuer.class, jSONObject);
        }
    }

    @DataBoundConstructor
    public DefaultCrumbIssuer(boolean z) {
        this.excludeClientIPFromCrumb = z;
        initializeMessageDigest();
    }

    public boolean isExcludeClientIPFromCrumb() {
        return this.excludeClientIPFromCrumb;
    }

    private Object readResolve() {
        initializeMessageDigest();
        return this;
    }

    private synchronized void initializeMessageDigest() {
        try {
            this.md = MessageDigest.getInstance("SHA-256");
        } catch (NoSuchAlgorithmException e) {
            this.md = null;
            LOGGER.log(Level.SEVERE, e, () -> {
                return "Cannot find SHA-256 MessageDigest implementation.";
            });
        }
    }

    @Override // hudson.security.csrf.CrumbIssuer
    protected synchronized String issueCrumb(ServletRequest servletRequest, String str) {
        if (!(servletRequest instanceof HttpServletRequest) || this.md == null) {
            return null;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        StringBuilder sb = new StringBuilder();
        sb.append(Jenkins.getAuthentication2().getName());
        sb.append(';');
        if (!isExcludeClientIPFromCrumb()) {
            sb.append(getClientIP(httpServletRequest));
        }
        if (!EXCLUDE_SESSION_ID) {
            sb.append(';');
            sb.append(httpServletRequest.getSession().getId());
        }
        this.md.update(sb.toString().getBytes(StandardCharsets.UTF_8));
        return Util.toHexString(this.md.digest(str.getBytes(StandardCharsets.US_ASCII)));
    }

    @Override // hudson.security.csrf.CrumbIssuer
    public boolean validateCrumb(ServletRequest servletRequest, String str, String str2) {
        String issueCrumb;
        if (!(servletRequest instanceof HttpServletRequest) || (issueCrumb = issueCrumb(servletRequest, str)) == null || str2 == null) {
            return false;
        }
        return MessageDigest.isEqual(issueCrumb.getBytes(StandardCharsets.US_ASCII), str2.getBytes(StandardCharsets.US_ASCII));
    }

    private String getClientIP(HttpServletRequest httpServletRequest) {
        String remoteAddr = httpServletRequest.getRemoteAddr();
        String header = httpServletRequest.getHeader("X-Forwarded-For");
        if (header != null) {
            String[] split = header.split(",");
            if (split.length >= 1) {
                return split[0];
            }
        }
        return remoteAddr;
    }
}
